Penpot is an open-source design tool for design and code collaboration. Prior to 2.14.5, Penpot exposed teams_invitations.clj invitation tokens from create-team-invitations, embedded an existing profile id in auth.clj prepare-register-profile, and had auth.clj register-profile issue a session based on the invitation email match without password verification, allowing a registered user to take over any non-blocked profile. This issue is fixed in version 2.14.5.
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Wed, 15 Jul 2026 19:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Penpot
Penpot penpot |
|
| Vendors & Products |
Penpot
Penpot penpot |
Wed, 15 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Penpot is an open-source design tool for design and code collaboration. Prior to 2.14.5, Penpot exposed teams_invitations.clj invitation tokens from create-team-invitations, embedded an existing profile id in auth.clj prepare-register-profile, and had auth.clj register-profile issue a session based on the invitation email match without password verification, allowing a registered user to take over any non-blocked profile. This issue is fixed in version 2.14.5. | |
| Title | Penpot: Pre-authenticated account takeover via team-invitation token + prepare-register-profile | |
| Weaknesses | CWE-287 CWE-639 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T15:40:07.943Z
Reserved: 2026-05-08T16:23:33.265Z
Link: CVE-2026-44986
Updated: 2026-07-15T15:38:39.529Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T18:45:15Z